blob: cf79b318afe0ed9441af64a377b216b6d39a86f2 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
|
.\" Copyright (C) 2015 Ipsilon Project Contributors
.\"
.TH "ipsilon-server-install" "1" "1.0.0" "Ipsilon" "Ipsilon Manual Pages"
.SH "NAME"
ipsilon\-server\-install \- Configure an Ipsilon Identity Provider instance
.SH "SYNOPSIS"
ipsilon\-server\-install [OPTION]...
.SH "DESCRIPTION"
Configure an Ipsilon instance to provide identity services using any of the supported and enabled protocols.
Ipsilon uses a plugable framework so some options may not be available, depending on what plugins have been installed.
Ipsilon supports three types of plugins:
1. Authentication provider plugins \- implements an authentication protocol such as SAML 2, OpenID or Persona. At least one needs to be enabled.
.br
2. Login plugins \- mechanisms for authenticating including GSSAPI, LDAP, PAM, etc. At least one should be enabled.
.br
3. Info plugins \- sources where additional attributes of the user may be obtained.
.br
There are also environment helper options which aid in configuring the Identity Provider for a particular environment, such as a FreeIPA domain.
The installation details are logged to /var/log/ipsilon\-install.log.
.SH "DATABASES"
Ipsilon stores configuration and session information in database tables. By default, a set of sqlite databases are used. If a full RDBMS is desired then the \fB\-\-database\-url\fR and/or \fB*\-dburi\fR options can be used to provide the database URIs. This should probably be used in load\-balanced situations so all servers can use the same database.
An example of a specific URI is
.br
\-\-users_dburi=postgresql://@dbserver.example.com:45432/users
The templatized version would be
.br
\-\-database\-url=postgresql://@dbserver.example.com:45432/%(dbname)s
.SH "OPTIONS"
.SS BASIC OPTIONS
.TP
\fB\-h\fR, \fB\-\-help\fR
Show this help message and exit
.TP
\fB\-\-version\fR
Show program's version number and exit
.TP
\fB\-o\fR \fILM_ORDER\fR, \fB\-\-login\-managers\-order\fR \fILM_ORDER\fR
Comma separated list of login managers
.TP
\fB\-\-hostname\fR \fIHOSTNAME\fR
The hostname used by clients to reach this instance. This is used to determine the URLs provided in SAML metadata
.TP
\fB\-\-instance\fR \fIINSTANCE\fR
Ipsilon instance name
.TP
\fB\-\-system\-user\fR \fISYSTEM_USER\fI
User account used to run the server
.TP
\fB\-\-admin\-user\fR \fIADMIN_USER\fR
User account that is assigned Ipsilon admin privileges
.TP
\fB\-\-database\-url\fR \fIDATABASE_URL\fR
The (templatized) database URL to use
.TP
\fB\-\-secure\fR
Boolean to turn on all security checks
.TP
\fB\-\-server\-debugging\fR
Enable debugging
.TP
\fB\-\-uninstall\fR
Uninstall the server and all data
.TP
\fB\-\-yes\fR
Always answer yes
.TP
\fB\-\-admin\-dburi\fR \fIADMIN_DBURI\fR
Configuration database URI (override template)
.TP
\fB\-\-users\-dburi \fIUSERS_DBURI\fR
User configuration database URI (override template)
.TP
\fB\-\-transaction\-dburi\fR \fITRANSACTION_DBURI\fR
Transaction database URI (override template)
.SS AUTHENTICATION PROVIDER OPTIONS
.TP
\fB\-\-openid\fR
Configure OpenID Provider
.TP
\fB\-\-openid\-dburi\fR \fIOPENID_DBURI\fR
OpenID database URI (override template)
.TP
\fB\-\-persona\fR
Configure Persona Provider
.TP
\fB\-\-saml2\fR
Configure SAML2 Provider
.TP
\fB\-\-saml2\-metadata\-validity\fR \fISAML2_METADATA_VALIDITY\fR
Metadata validity period in days (default \- 1825)
.SS LOGIN MANAGER OPTIONS
.TP
\fB\-\-form\fR
Configure External Form authentication
.TP
\fB\-\-form\-service\fR \fIFORM_SERVICE\fR
PAM service name to use for authentication
.TP
\fB\-\-fas\fR
Configure FAS (Fedora Authentication System) authentication
.TP
\fB\-\-ldap\fR
Configure LDAP authentication
.TP
\fB\-\-ldap\-server\-url\fR \fILDAP_SERVER_URL\fR
LDAP Server Url
.TP
\fB\-\-ldap\-bind\-dn\-template\fR \fILDAP_BIND_DN_TEMPLATE\fR
LDAP Bind DN Template
.TP
\fB\-\-ldap\-tls\-level\fR \fILDAP_TLS_LEVEL\fR
LDAP TLS level
.TP
\fB\-\-ldap\-base\-dn\fR \fILDAP_BASE_DN\fR
LDAP Base DN
.TP
\fB\-\-krb\fR
Configure Kerberos authentication
.TP
\fB\-\-krb\-httpd\-keytab\fR \fIKRB_HTTPD_KEYTAB\fR
Kerberos keytab location for HTTPD
.TP
\fB\-\-pam\fR
Configure PAM authentication
.TP
\fB\-\-pam\-service\fR \fIPAM_SERVICE\fR
PAM service name to use for authentication
.TP
\fB\-\-testauth\fR
Configure testing environment authentication
.SS INFO PROVIDER OPTIONS
\fB\-\-info\-ldap\fR
Use LDAP to populate user attrs
.TP
\fB\-\-info\-ldap\-server\-url\fR \fIINFO_LDAP_SERVER_URL\fR
LDAP Server Url
.TP
\fB\-\-info\-ldap\-bind\-dn\fR \fIINFO_LDAP_BIND_DN\fR
LDAP Bind DN
.TP
\fB\-\-info\-ldap\-bind\-pwd\fR \fIINFO_LDAP_BIND_PWD\fR
LDAP Bind Password
.TP
\fB\-\-info\-ldap\-user\-dn\-template\fR \fIINFO_LDAP_USER_DN_TEMPLATE\fR
LDAP User DN Template
.TP
\fB\-\-info\-ldap\-base\-dn\fR \fIINFO_LDAP_BASE_DN\fR
LDAP Base DN
.TP
\fB\-\-info\-nss\fR
Use passwd data to populate user attrs
.TP
\fB\-\-info\-sssd\fR \fI
Use mod_lookup_identity and SSSD to populate user attrs. SSSD must be pre\-configured for at least one domain.
.TP
\fB\-\-info\-sssd\-domain\fR \fIINFO_SSSD_DOMAIN\fR
SSSD domain to enable mod_lookup_identity for (default is all)
.SS ENVIRONMENT HELPER OPTIONS
\fB\-\-ipa\fR
Helper for IPA joined machines. This configures Ipsilon for Kerberos authentication.
.SH "EXIT STATUS"
0 if the installation was successful
1 if an error occurred
.SH "SEE ALSO"
.BR ipsilon(7),
.BR ipsilon\-client\-install(1)
|
